GDPR Myth: What happens in the EU must stay in the EU

If there’s one thing keeping governance, privacy, risk, and security folks awake at night it is the EU GDPR – the new regulation on data protection coming into effect in May 2018. It details how personally identifiable information (PII) on the EU’s 500 million citizens should be handled and is not just a law for EU organizations, but for anyone globally who handles data on EU citizens.

One of the areas that causes a lot of confusion is whether EU PII data can leave the EU and, if so, under what circumstances. There is no blanket ban, however the individuals whose PII data potentially leaves the EU need to be informed and allowed to opt out, controls need to be in place to ensure their data is tracked, secured, and protected by everyone in the chain who may process the data, and if their data is potentially disclosed then they need to be informed of it! Given the enormous logistical complexity and costs, it is little wonder that EUGDPR short-hand has translated to, EU PII data cannot leave the EU.

The GDPR: An Action Guide for IT

The book GDPR – An Action Guide for IT covers this in more depth together with details on collecting data, processing data, and action on data loss, and it provides an Action Plan to conform to the regulations. For this blog, I’ll just look at the requirements needed to allow PII data to be transferred outside the 28 countries of the EU and three countries of the EEA.

From a legal perspective, data transfer occurs as soon as the data leaves the 31 countries, no matter how it happens. For example, this could be emailing data to a non-EU employee, data storage on a non-EU-based cloud service or any CRM or marketing service outside the EU, even if the data is subsequently brought back into the EU.

The individual must be told before they opt-in to their data being collected that the data may be transferred outside the EU and given the chance to reject that transfer.

The responsibility for data protection cascades down to all organizations and individuals that use the data, and the data keeps its rights as it is transferred and processed. Data Processors must have a legal contract with the data controller that agrees to this (Article 28 of the regulation).

If the data is to be sent to any country recognized by the EU as having “adequate” data protection laws, no additional requirements are needed (Article 45). Currently the list of countries considered adequate is Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. The list is published here

If data is required to be sent to other countries, there needs to be appropriate legal safeguards (Articles 46 & 47), for example those giving the user rights to check, access, delete, and change that data and effective legal remedies if the data is subsequently breached. There are a number of recommended ways of providing these safeguards via contractual clauses between data controllers and processors.

The USA is a special case where the complexity of the shared responsibility for data protection between individual states and federal law and the jurisdictional overlap between the security services and the Commerce Department has meant that it hasn’t been possible for the EU to consider that all transfers to the USA are “adequate”. In response, the U.S./EU Privacy Shield (and the U.S./Swiss Privacy Shield) have been developed. This allows US companies to self-certify that they will provide data protection safeguards aimed to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. There is a likelihood that this will be tested in court during 2017 as privacy campaigners in the EU are not sure it is robust enough.

As an aside, assuming the UK leaves the EU and EEA it will then be another country that the EU will need to review in order to determine whether its data protection laws are considered adequate. There’s a lot of discussion around this, especially with the wide powers of data interception that the UK law enforcement authorities have at their disposal.

After reading the points above you may feel concerned about whether you can trust everyone else in your data chain to fulfill their piece. The great news is that the GDPR gives you a “Get out of Jail Free” card, and that card is encryption with your own keys.

The regulation reminds us that adding encryption mitigates many data loss risks (Recital 83 & Article 32). Even more powerfully, it points out that if data is lost the data subjects do not need to be informed if the data has been rendered “unintelligible to any person who is not authorized to access it, such as [via] encryption”.

Those sections show the value of encrypting data before it is uploaded to a cloud service or transferred out of the EU, but there’s a hidden sting in the tail. It points out that the data should be unintelligible to ANY person not authorized to access it. To take that literally, the encryption should take place on the data controller’s premises before being uploaded to the cloud and the keys should not be stored in the cloud service.

One final point – in practice, most of this is not new. The previous data protection legislation (based on the 1995 Data Protection Directive) that is currently in effect has very similar requirements, however the GDPR has focused minds with its higher fines, stronger expected enforcement, and mandatory breach notification.

Happily, transferring data on EU residents outside the EU is not disallowed, however every organization with data on EU individuals including EU employees and anyone who has EU residents registering on their web site needs to consider the regulation of data transfers.

The information provided is for informational purposes only and not for the purpose of providing legal advice. You should seek advice and guidance from your own legal counsel with respect to any interpretation of GDPR or a particular law. The opinions expressed in this document may not reflect the opinions of McAfee.